Skip to content

ci: update third-party actions to node 24 #636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
estebany-qd wants to merge 1 commit into
base: main
Choose a base branch
from
+1 −1
Open

ci: update third-party actions to node 24 #636

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/python-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
- name: Build package
run: poetry build
- name: Publish package
uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify commit hash and Node 24 compatibility for pypa/gh-action-pypi-publish

# Check if commit hash corresponds to v1.14.0
echo "Checking if commit cef221092ed1bacb1cc03d23a2d87d1d172e277b corresponds to v1.14.0..."
gh api repos/pypa/gh-action-pypi-publish/git/refs/tags/v1.14.0 --jq '.object.sha'

# Check the action.yml to see what Node version it runs on
echo -e "\nChecking Node version used by v1.14.0..."
gh api repos/pypa/gh-action-pypi-publish/contents/action.yml?ref=v1.14.0 --jq '.content' | base64 -d | grep -A2 "runs:"

Repository: qdrant/fastembed

Length of output: 263

🏁 Script executed:

#!/bin/bash
set -euo pipefail
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"

echo "1) Tag -> SHA check (v1.14.0 expected vs pinned SHA)"
gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha'

echo
echo "2) Determine what tag(s) point to the pinned SHA"
gh api repos/$REPO/git/refs/tags --paginate --jq --arg SHA "$SHA" '.[] | select(.object.sha==$SHA) | .ref' || true

echo
echo "3) Inspect action.yml runtime for v1.14.0"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "runs:|using:|node|node-version" || true

Repository: qdrant/fastembed

Length of output: 325

🏁 Script executed:

#!/bin/bash
set -euo pipefail
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"

echo "1) Check tags -> SHA match for pinned SHA (which tag(s), if any, point to it)"
gh api repos/$REPO/git/refs/tags --paginate --jq ".[] | select(.object.sha==\"$SHA\") | .ref"

echo
echo "2) action.yml content summary for $TAG (search for nested actions / node runtimes)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | nl -ba | rg -n "^( *[0-9]+\\s+)?runs:|^( *[0-9]+\\s+)?using:|node-version|\\bnode\\b|^\\s*uses:|^\\s*run:"

Repository: qdrant/fastembed

Length of output: 285

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "A) Inspect response shape for refs/tags (per_page=1)"
gh api repos/$REPO/git/refs/tags?per_page=1 | python3 - <<'PY'
import sys, json
data=json.load(sys.stdin)
print(type(data))
print(data.keys() if isinstance(data, dict) else "not-a-dict")
PY

echo
echo "B) Find tag(s) pointing to pinned SHA"
# Try common GitHub API shape: { refs: [...] }
gh api repos/$REPO/git/refs/tags --paginate | python3 - <<'PY'
import sys, json
data=json.load(sys.stdin)
# If paginated, gh api outputs concatenated JSON objects; handle by reading line by line
PY

Repository: qdrant/fastembed

Length of output: 852

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
TAG="v1.14.0"

echo "1) Tags pointing to pinned SHA ($SHA):"
gh api repos/$REPO/git/refs/tags --paginate --jq ".. | objects | select(.object?.sha? == \"$SHA\") | .ref" || true

echo
echo "2) action.yml runs.using for tag $TAG:"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|^\s*steps:" -n

echo
echo "3) action.yml runs.using for pinned ref (SHA):"
gh api repos/$REPO/contents/action.yml?ref=$SHA --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|^\s*steps:" -n

echo
echo "4) action.yml at $TAG: list of nested action references (uses@...)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n "^\s*uses:\s" || true

echo
echo "5) action.yml at $TAG: show lines around nested uses (if any)"
gh api repos/$REPO/contents/action.yml?ref=$TAG --jq '.content' | base64 -d | rg -n -C2 "^\s*uses:\s" || true

Repository: qdrant/fastembed

Length of output: 1073

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Find tag(s) that point to pinned SHA using matching-refs (pypa/gh-action-pypi-publish)"
# Try to find any v1.* tags that resolve to the pinned SHA.
gh api repos/$REPO/git/matching-refs/tags/v1.* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true
echo
echo "2) Get v1.14.* tags SHAs to see where pinned SHA would land"
gh api repos/$REPO/git/matching-refs/tags/v1.14.* --paginate --jq ".[] | {ref:.ref, sha:.object.sha}" || true

echo
echo "3) Inspect actions/setup-python action.yml for its runs.using (ref from nested uses)"
SETUP_PY_REF="a26af69be951a213d495a4c3e4e4022e16d87065"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_REF --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|node-version|node\d+|^\\s*steps:|^\\s*uses:" -n

Repository: qdrant/fastembed

Length of output: 327

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Find any tag(s) that point to pinned SHA across all v* tags"
gh api repos/$REPO/git/matching-refs/tags/v* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true

echo
echo "2) Inspect nested local action runs.using for v1.14.0 (run-pypi-publish-in-docker-container)"
# Path referenced in action.yml at v1.14.0
NESTED_PATH=".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container"
gh api repos/$REPO/contents/$NESTED_PATH?ref=v1.14.0 --jq '.content' | base64 -d | rg -n "^\s*runs:|^\s*using:|node-version|node\d+|^\s*steps:|^\s*uses:" -n || true

Repository: qdrant/fastembed

Length of output: 282

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
TAG="v1.14.0"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

# v1.14.0 commit sha (what GitHub tag resolves to)
TAG_SHA="$(gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha')"
echo "v1.14.0 resolves to commit: $TAG_SHA"
echo

echo "1) Files under .github/.tmp/.generated-actions (v1.14.0 commit) containing run-pypi-publish-in-docker-container"
gh api repos/$REPO/git/trees/$TAG_SHA --recursive --jq '
  [.tree[]
    | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container"))
    | {path, type}
  ][0:50]
'

echo
echo "2) Files under .github/.tmp/.generated-actions (pinned commit) containing run-pypi-publish-in-docker-container"
gh api repos/$REPO/git/trees/$PINNED_SHA --recursive --jq '
  [.tree[]
    | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container"))
    | {path, type}
  ][0:50]
'

echo
echo "3) For any discovered action.yml under those paths, print runs.using/node runtime (try common action.yml locations)"
# Try a couple likely paths; if none exist, step 4 will show what exists.
for ref in "$TAG" "$PINNED_SHA"; do
  echo "--- Inspect runs.using for candidate nested action.yml at ref=$ref ---"
  for candidate in \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container.yml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container.yaml" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/index.js" \
    ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/dist/action.yml"
  do
    out="$(gh api repos/$REPO/contents/$candidate?ref=$ref --jq '.content' 2>/dev/null | base64 -d 2>/dev/null || true)"
    if [ -n "$out" ]; then
      echo "Found content at: $candidate (ref=$ref)"
      echo "$out" | rg -n "^\s*runs:|^\s*using:|node-version|node[0-9]+|^\s*steps:|^\s*inputs:" || true
      break
    fi
  done
done

echo
echo "4) If 3 found nothing, show exact action.yml files under .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container* (v1.14.0)."
gh api repos/$REPO/git/trees/$TAG_SHA --recursive --jq '
  [.tree[] | select(.path | test("\\.github/\\.tmp/\\.generated-actions/.*run-pypi-publish-in-docker-container") and (.path|test("action\\.ya?ml$"))) | .path][0:30]
'

Repository: qdrant/fastembed

Length of output: 1679

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
TAG="v1.14.0"

echo "1) What tag does v1.14.0 resolve to?"
gh api repos/$REPO/git/refs/tags/$TAG --jq '.object.sha'

echo
echo "2) Does pinned SHA map to any v1.14.* tag?"
gh api repos/$REPO/git/matching-refs/tags/v1.14.* --paginate --jq ".[] | select(.object.sha==\"$PINNED_SHA\") | .ref" || true

echo
echo "3) pypa/gh-action-pypi-publish@PINNED_SHA: runs.using + nested action versions"
gh api repos/$REPO/contents/action.yml?ref=$PINNED_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|^\\s*uses:\\s|setup-python@|checkout@|node(1|2|3|4)\\d|node-version" || true

echo
echo "4) actions/checkout@de0fac... runs.using"
CHECKOUT_SHA="de0fac2e4500dabe0009e67214ff5f5447ce83dd"
gh api repos/actions/checkout/contents/action.yml?ref=$CHECKOUT_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|node-version|node(1|2|3|4)\\d" || true

echo
echo "5) actions/setup-python@a309ff... runs.using"
SETUP_PY_SHA="a309ff8b426b58ec0e2a45f0f869d46889d02405"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA --jq '.content' | base64 -d \
  | rg -n "runs:|using:|node-version|node(1|2|3|4)\\d" || true

Repository: qdrant/fastembed

Length of output: 614

🏁 Script executed:

#!/bin/bash
set -euo pipefail
REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"

echo "1) Show the exact line(s) where the local nested action is referenced (from action.yml at pinned SHA)"
gh api repos/$REPO/contents/action.yml?ref=$PINNED_SHA --jq '.content' | base64 -d | sed -n '150,190p'

echo
echo "2) List the directory contents for .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container at pinned SHA"
LOCAL_DIR=".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container"
gh api repos/$REPO/contents/$LOCAL_DIR?ref=$PINNED_SHA || true

echo
echo "3) If action.yml exists inside that directory, print its runs.using"
for f in "action.yml" "action.yaml" "runs/action.yml" "dist/action.yml"; do
  gh api repos/$REPO/contents/$LOCAL_DIR/$f?ref=$PINNED_SHA --jq '.content' 2>/dev/null \
    | base64 -d 2>/dev/null | rg -n "runs:|using:|node-version|node(1|2|3|4|20|24)" && exit 0
done
echo "No action.yml/action.yaml found at common locations under $LOCAL_DIR (or contents API didn’t return content)."

Repository: qdrant/fastembed

Length of output: 2020

🏁 Script executed:

#!/bin/bash
set -euo pipefail

REPO="pypa/gh-action-pypi-publish"
PINNED_SHA="cef221092ed1bacb1cc03d23a2d87d1d172e277b"
SETUP_PY_SHA_NESTED="a26af69be951a213d495a4c3e4e4022e16d87065"

echo "1) actions/setup-python@a26af... runs.using (node runtime)"
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA_NESTED --jq '.content' | base64 -d \
  | rg -n "^\s*runs:|^\s*using:" -n || true
echo
gh api repos/actions/setup-python/contents/action.yml?ref=$SETUP_PY_SHA_NESTED --jq '.content' | base64 -d \
  | rg -n "node(1|2|3|4|16|20|24)|node-version" || true

echo
echo "2) Does .github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/* exist in pinned SHA tree?"
# List matching paths in the git tree (recursive=1 is a query param, not a gh flag)
gh api "repos/$REPO/git/trees/$PINNED_SHA?recursive=1" --jq '
  [.tree[] | select(.path | test("^\\.github/\\.tmp/\\.generated-actions/run-pypi-publish-in-docker-container/")) | .path] | .[0:50]
'

echo
echo "3) If action.yml exists inside that directory, print its runs.using"
# Try common action.yml locations under that directory
for p in \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yml" \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/action.yaml" \
  ".github/.tmp/.generated-actions/run-pypi-publish-in-docker-container/dist/action.yml"
do
  echo "--- Trying $p"
  out="$(gh api repos/$REPO/contents/$p?ref=$PINNED_SHA --jq '.content' 2>/dev/null | base64 -d 2>/dev/null || true)"
  if [ -n "$out" ]; then
    echo "$out" | rg -n "^\s*runs:|^\s*using:|node(1|2|3|4|16|20|24)|node-version" || true
  fi
done

Repository: qdrant/fastembed

Length of output: 628

Fix the pypa/gh-action-pypi-publish pin + ensure Node 24 compatibility

  • The commit you pinned (cef221092ed1bacb1cc03d23a2d87d1d172e277b) does not match the v1.14.0 tag commit (the v1.14.0 tag resolves to 6733eb7d741f0b11ec6a39b58540dab7590f9b7d).
  • At v1.14.0, pypa/gh-action-pypi-publish is runs: using: composite, but it internally uses actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 (v5.6.0), whose action.yml runs on node20—so the publish action isn’t fully Node 24–compatible.
  • Your workflow’s direct actions/checkout@de0fac... and actions/setup-python@a309ff... pins are node24, so the Node 24 issue is specifically inside pypa/gh-action-pypi-publish.
🧰 Tools
🪛 zizmor (1.25.2)

[info] 36-36: prefer trusted publishing for authentication (use-trusted-publishing): this step

(use-trusted-publishing)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/python-publish.yml at line 36, The workflow pins
pypa/gh-action-pypi-publish to an incorrect commit (uses:
pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b) which does
not match the v1.14.0 tag and may pull an implementation incompatible with Node
24; update the uses entry so it either references the exact v1.14.0 tag commit
(6733eb7d741f0b11ec6a39b58540dab7590f9b7d) or, preferably, switch to a newer
release/tag of pypa/gh-action-pypi-publish that is confirmed Node 24–compatible,
and then verify its nested actions (like actions/setup-python) are also pinned
to Node 24-compatible commits.

with:
user: __token__
password: ${{ secrets.PYPI_API_TOKEN }}
Loading